Good point … and totally agree that the word “hacking” used to mean something - now it just kinda makes people laugh and not take it seriously at all anymore…
> On Oct 21, 2016, at 4:44 PM, Ken Hohhof <af...@kwisp.com> wrote: > > I think his point was that a denial of service attack is not hacking. > > I just heard on the radio someone was asking, if I try to use Twitter and it > doesn’t work because of this attack, is my computer how hacked? > > Even stuff that rightly gets called hacking is an insult to hackers. Like if > your webcam is on a public IP address and I guess that the password is 1234, > and that gets me root access to install whatever I want, it hardly seems > right to call that hacking. > > But taking down a site by flooding it (or its authoritative DNS servers) with > traffic is not the same as hacking the site. > > <> > From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] On > Behalf Of Paul Stewart > Sent: Friday, October 21, 2016 3:34 PM > To: af@afmug.com <mailto:af@afmug.com> > Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick > > Agree…. it should be focused on end users better securing themselves …. > >> On Oct 21, 2016, at 3:44 PM, That One Guy /sarcasm >> <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com>> wrote: >> >> Im getting irritated by news reports calling this hacking. That term has >> been so obfuscated by dimwits that it has no value >> >> On Fri, Oct 21, 2016 at 1:54 PM, Josh Luthman <j...@imaginenetworksllc.com >> <mailto:j...@imaginenetworksllc.com>> wrote: >>> It works great for me 90% of the time. The other 10% it refuses to >>> function at all. >>> >>> >>> Josh Luthman >>> Office: 937-552-2340 <tel:937-552-2340> >>> Direct: 937-552-2343 <tel:937-552-2343> >>> 1100 Wayne St >>> Suite 1337 >>> Troy, OH 45373 >>> >>> On Fri, Oct 21, 2016 at 2:50 PM, Paul Stewart <p...@paulstewart.org >>> <mailto:p...@paulstewart.org>> wrote: >>>> LOL …. scary shit…. >>>> >>>> Facebook being slow isn’t anything new in my experience … they have to be >>>> having a hard time keeping up sometimes …. last I heard they were adding >>>> something around 200-300 new servers a day in each data centre >>>> >>>>> On Oct 21, 2016, at 2:48 PM, That One Guy /sarcasm >>>>> <thatoneguyst...@gmail.com <mailto:thatoneguyst...@gmail.com>> wrote: >>>>> >>>>> forcing people to interact in person... a dangerous prospect in these >>>>> times >>>>> >>>>> On Fri, Oct 21, 2016 at 1:43 PM, Tim Reichhart >>>>> <timreichh...@hometowncable.net <mailto:timreichh...@hometowncable.net>> >>>>> wrote: >>>>>> It seems like facebook is also getting slow. >>>>>> >>>>>>> >>>>>>> -----Original Message----- >>>>>>> From: "Travis Johnson" <t...@ida.net <mailto:t...@ida.net>> >>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>> Date: 10/21/16 02:37 PM >>>>>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick >>>>>>> >>>>>>> This is still going right now... big and small websites and ISP's are >>>>>>> unreachable and unresponsive. :( >>>>>>> >>>>>>> Travis >>>>>>> >>>>>>> >>>>>>> On 10/21/2016 12:19 PM, Ken Hohhof wrote: >>>>>>> >>>>>>>> Interesting, according to that, the ISP DNS servers are recruited as >>>>>>>> part of the attack on the victim's authoritative DNS servers, by >>>>>>>> sending queries from within the ISP's network. >>>>>>>> >>>>>>>> No spoofing, no amplification, no misconfigured DNS servers required, >>>>>>>> yet the ISP's DNS servers are used to send the attack traffic. All >>>>>>>> that is needed is a compromised IoT to send the query. >>>>>>>> >>>>>>>> >>>>>>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] >>>>>>>> On Behalf Of Josh Baird >>>>>>>> Sent: Friday, October 21, 2016 12:42 PM >>>>>>>> >>>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick >>>>>>>> >>>>>>>> >>>>>>>> Right - crap IoT devices on the Mirai botnet were responsible for >>>>>>>> shoving 620+Gbps of traffic at Akamai to take down Krebs (and over >>>>>>>> 1Tbps to take down OVH). No spoofing involved. >>>>>>>> >>>>>>>> Interesting article on the techniques used by Mirai: >>>>>>>> >>>>>>>> https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937 >>>>>>>> >>>>>>>> <https://f5.com/about-us/news/articles/mirai-the-iot-bot-that-took-down-krebs-and-launched-a-tbps-ddos-attack-on-ovh-21937> >>>>>>>> >>>>>>>> >>>>>>>> On Fri, Oct 21, 2016 at 1:30 PM, Ken Hohhof <af...@kwisp.com >>>>>>>> <mailto:af...@kwisp.com>> wrote: >>>>>>>>> The amplifier would receive a query from a spoofed IP address, and >>>>>>>>> respond using a legit IP address. So the attacker needs to control >>>>>>>>> some computers that can spoof the victim's IP address, but the actual >>>>>>>>> attack traffic comes from the amplifiers using legit source IPs. >>>>>>>>> >>>>>>>>> In the case of IoT botnets, I'm not sure any spoofing is required. >>>>>>>>> >>>>>>>>> <> >>>>>>>>> From: Af [mailto:af-boun...@afmug.com <mailto:af-boun...@afmug.com>] >>>>>>>>> On Behalf Of Josh Baird >>>>>>>>> Sent: Friday, October 21, 2016 12:21 PM >>>>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>>>> Subject: Re: [AFMUG] Another large DDoS, Stop Being a Dick >>>>>>>>> >>>>>>>>> It's a good start. It attempts to prevent spoofed traffic originating >>>>>>>>> from your network to leave your network (or BCP38). >>>>>>>>> >>>>>>>>> On Fri, Oct 21, 2016 at 1:19 PM, Josh Luthman >>>>>>>>> <j...@imaginenetworksllc.com <mailto:j...@imaginenetworksllc.com>> >>>>>>>>> wrote: >>>>>>>>>> It can't be that simple...can it? >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> Josh Luthman >>>>>>>>>> Office: 937-552-2340 <http://tel:937-552-2340> >>>>>>>>>> Direct: 937-552-2343 <http://tel:937-552-2343> >>>>>>>>>> 1100 Wayne St >>>>>>>>>> Suite 1337 >>>>>>>>>> Troy, OH 45373 >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> On Fri, Oct 21, 2016 at 1:17 PM, Mike Hammett <af...@ics-il.net >>>>>>>>>> <mailto:af...@ics-il.net>> wrote: >>>>>>>>>>> /ip firewall address-list >>>>>>>>>>> add list="Public-IPs" address=x.x.x.x/yy disabled=no comment="My >>>>>>>>>>> IPs" >>>>>>>>>>> add list="Public-IPs" address=x.x.x.x/yy disabled=no >>>>>>>>>>> comment="Downstream customer X IPs" >>>>>>>>>>> >>>>>>>>>>> /ip firewall filter >>>>>>>>>>> add action=drop chain=forward comment="Drop spoofed traffic" >>>>>>>>>>> disabled=no out-interface="To-Upstream" >>>>>>>>>>> dst-address-list=!"Public-IPs" >>>>>>>>>>> >>>>>>>>>>> That was largely composed off of the top of my head and typed on my >>>>>>>>>>> phone, so it may not be completely accurate. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> You should also do it on customer-facing ports not allowing >>>>>>>>>>> anything to come in, but that would be best approached once >>>>>>>>>>> Mikrotik and the per interface setting for unicast reverse path >>>>>>>>>>> filtering. You would then said customer facing interfaces to strict >>>>>>>>>>> and all other interfaces to loose. They accepted the feature >>>>>>>>>>> request, just haven't implemented it yet. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ----- >>>>>>>>>>> Mike Hammett >>>>>>>>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>>>>>>>> <https://www.facebook.com/ICSIL> >>>>>>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>>>>>>> <https://twitter.com/ICSIL> >>>>>>>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>>>>>>>> <https://www.facebook.com/mdwestix> >>>>>>>>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>>>>>>>> <https://twitter.com/mdwestix> >>>>>>>>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>>>>>>>> <https://www.facebook.com/thebrotherswisp> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>>>>>>>> From: "Mike Hammett" <af...@ics-il.net <mailto:af...@ics-il.net>> >>>>>>>>>>> To: af@afmug.com <mailto:af@afmug.com> >>>>>>>>>>> Sent: Friday, October 21, 2016 11:21:35 AM >>>>>>>>>>> Subject: [AFMUG] Another large DDoS, Stop Being a Dick >>>>>>>>>>> >>>>>>>>>>> There's another large DDoS going on now. Go to this page to see if >>>>>>>>>>> you can be used for UDP amplification (or other spoofing) attacks: >>>>>>>>>>> >>>>>>>>>>> https://www.caida.org/projects/spoofer/ >>>>>>>>>>> <https://www.caida.org/projects/spoofer/> >>>>>>>>>>> >>>>>>>>>>> Go to these pages for more longer term bad behavior monitoring: >>>>>>>>>>> >>>>>>>>>>> https://www.shadowserver.org/wiki/ >>>>>>>>>>> <https://www.shadowserver.org/wiki/> >>>>>>>>>>> https://radar.qrator.net/ <https://radar.qrator.net/> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> Maybe we need to start a database of ASNs WISPs are using and start >>>>>>>>>>> naming and shaming them when they have bad actors on their network. >>>>>>>>>>> This is serious, people. Take it seriously. >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> ----- >>>>>>>>>>> Mike Hammett >>>>>>>>>>> Intelligent Computing Solutions <http://www.ics-il.com/> >>>>>>>>>>> <https://www.facebook.com/ICSIL> >>>>>>>>>>> <https://plus.google.com/+IntelligentComputingSolutionsDeKalb> >>>>>>>>>>> <https://www.linkedin.com/company/intelligent-computing-solutions> >>>>>>>>>>> <https://twitter.com/ICSIL> >>>>>>>>>>> Midwest Internet Exchange <http://www.midwest-ix.com/> >>>>>>>>>>> <https://www.facebook.com/mdwestix> >>>>>>>>>>> <https://www.linkedin.com/company/midwest-internet-exchange> >>>>>>>>>>> <https://twitter.com/mdwestix> >>>>>>>>>>> The Brothers WISP <http://www.thebrotherswisp.com/> >>>>>>>>>>> <https://www.facebook.com/thebrotherswisp> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> <https://www.youtube.com/channel/UCXSdfxQv7SpoRQYNyLwntZg> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>>> >>>>>>> >>>>>> >>>>> >>>>> >>>>> >>>>> >>>>> -- >>>>> If you only see yourself as part of the team but you don't see your team >>>>> as part of yourself you have already failed as part of the team. >>>> >>>> >>> >>> >> >> >> >> >> -- >> If you only see yourself as part of the team but you don't see your team as >> part of yourself you have already failed as part of the team.
